Support Questions

arunpoy · ‎04-19-2016

I have raised this question earlier too. But still couldnt solve this issue. Any help would be great. Upgraded ambari from 2.1 to 2.2 and after that if i try to enable kerberos, i do see the error "KDC host unreachable". But in an environment where ambari still 2.1, i dont see this error. Is this a bug in ambari for this upgrade?

Log messages are not clear

19 Apr 2016 05:56:16,683 WARN [qtp-ambari-client-29] KdcServerConnectionVerification:187 - An unexpected exception occurred while attempting to communicate with the KDC server at over TCP 19 Apr 2016 05:56:16,685 WARN [qtp-ambari-client-29] KdcServerConnectionVerification:187 - An unexpected exception occurred while attempting to communicate with the KDC server at over UDP 19 Apr 2016 05:56:16,685 ERROR [qtp-ambari-client-29] KdcServerConnectionVerification:113 - Failed to connect to the KDC at using either TCP or UDP

p.s : i have just deleted the hostname in the above logs for the sake of anonymity

rlevas · ‎04-19-2016

@ARUNKUMAR RAMASAMY

If you turn on debugging, the error message will contain the reason for failure. I am not sure why we need to turn on debugging to get more information - you would think that this info would be normally available.

To turn on debugging, edit /etc/ambari-server/conf/log4j.properties and set the following line (line #28) from:

log4j.rootLogger=INFO,file

to

log4j.rootLogger=DEBUG,file

Then restart ambari, try again and see what the error message is.

Since the log will be rather verbose, you will want to search (or grep) for "KdcServerConnectionVerification".

View solution in original post

jstraub · ‎04-19-2016

By "enable kerberos" you mean, using Ambari to enable Kerberos security? At what step in the wizard do you see this error?

In general: make sure your /etc/krb5.conf is still correct, especially the KDC host. Make sure your KDC host is running. Try to authenticate yourself on the node itself, basically running "kinit <principal>", afterwards "klist" should show a valid ticket.

Is this a local MIT KDC or are you using an AD KDC?

arunpoy · ‎04-20-2016

@Jonas Straub, i am using MIT KDC and it is running fine. kinit and klist are working fine. I am gettign the error , when i click the ënable kerberos" wizard in ambari.

These are the scenarios

1. Lab environment - Ambari 2.2.x (KDC is running on the same machine) - KDC host not reachable is the error

2. Dev environment - Ambari 2.2.x - KDC host not reachable is the error. Before upgrading to 2.2 (in ambari 2.1), i was able to connect to the same KDC which now throws error.

3. Prod environment - Ambari 2.1 - NO error, i am able to connect to the same KDC which is running in the lab environment.

My question is has this upgrade anything to do with this error.

rlevas · ‎04-19-2016

@ARUNKUMAR RAMASAMY

If you turn on debugging, the error message will contain the reason for failure. I am not sure why we need to turn on debugging to get more information - you would think that this info would be normally available.

To turn on debugging, edit /etc/ambari-server/conf/log4j.properties and set the following line (line #28) from:

log4j.rootLogger=INFO,file

to

log4j.rootLogger=DEBUG,file

Then restart ambari, try again and see what the error message is.

Since the log will be rather verbose, you will want to search (or grep) for "KdcServerConnectionVerification".

arunpoy · ‎04-20-2016

Thanks @Robert Levas, I enabled DEBUG and found out the issue. AES 256 was not enabled on the linux machines. Ambari 2.1 doesnt seem to check this strictly, whereas ambari 2.2 is strictly enforcing. Thanks a lot for your help.

Cloudera Community

Support Questions

Kerberos error after ambari upgrade